WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Re: What is more secure? HVM or PV ?

from [David Pilger] [Permanent Link][Original]
To: "Mark Williamson" <mark.williamson@xxxxxxxxxxxx>
Subject: Re: [Xen-devel] Re: What is more secure? HVM or PV ?
From: "David Pilger" <pilger.david@xxxxxxxxx>
Date: Mon, 25 Dec 2006 15:15:43 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 25 Dec 2006 05:15:40 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bc2SmKGWLlHZzY2cVDaRuJ0iRLsr+73sILcaLOoPP0f7y0/xIFipiW2xOYY40zdfAhe2CsDAy8a48FcSP8M9agxOnsMMEXWq6s28kkvdYvPGw1QOvBb1ZQ6M08ev6KEK5KZdX1ZWfN9R0dHHdpnnqWl4VoV6zgPKa1orhD4IGys=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200612231752.42296.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <280848580612180840k666dde6fmb02a04b69cd75da@xxxxxxxxxxxxxx> <280848580612190035s27e91e67l81511abc50cfae91@xxxxxxxxxxxxxx> <200612231752.42296.mark.williamson@xxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
For PV:
The explicit hypercall API would be one possible attack vector - exploiting
any bugs in Xen.  The memory mapping interface could also be an attack vector
(including both the paravirtualised and various shadowing code paths).

PV also could be attacked in principle via the frontend / backend drivers - if
the backend driver could be compromised and made to execute arbitrary code
(or even write abitrary code to dom0's filesystem / swapfile for later
executation) then it would be possible to take over the whole machine.

The PV components have been in place for longer and have probably received
more scrutiny.  The HVM components are rather complex and have received, I
think, less eyeballing.  I'd guess (and it is really a guess) that I'd have
more confidence in PV from a security point of view, but that's definitely
not to say that there's anything specifically *wrong* with the HVM code, just
that it's less mature.



I agree, I think that because the PV API is also exposed to HVMs
(PV-on-HVM), we can conclude that HVMs are theoretically less secure,
becuase they have more attack vectors.

David.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] x86 swiotlb questions, Keir Fraser
Next by Date:  [Xen-devel] VMX status report 13156:159ae46d5e7f, Yu, Ping Y
Previous by Thread:  Re: [Xen-devel] Re: What is more secure? HVM or PV ?, Mark Williamson
Next by Thread:  [Xen-devel] pagetables for HVM domains, Tim Wood
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy